TDS Installation Checklist for Production Security (Reference)

Initial Installation

Install Java

  1. Download and install the latest version of JDK 1.7

Tomcat Install

  1. Create a dedicated user and group for running Tomcat who does not have root privileges.
  2. As this user, download and install the latest version of Tomcat 7. You must use a version of Tomcat >= 7.0.43.
  3. In ${tomcat_home}/bin create a setenv.sh shell script, and set the values of JAVA_HOME, and CATALINA_BASE and CONTENT_ROOT. These each have to be customized to your installation. For example:
    #!/bin/sh
    JAVA_HOME="/usr/local/tds/jdk1.7.0_60"  
    export JAVA_HOME
              
    CATALINA_BASE="/usr/local/tds/apache-tomcat-7.0.42"  
    export CATALINA_BASE
    
    CONTENT_ROOT= "-Dtds.content.root.path=/opt/tds-live/content"
    Also in setenv.sh, set CATALINA_OPTS, for example:
    # modify these if you wish, or use as is
    NORMAL="-Xmx4g -Xms512m -server"
    
    # no longer needed in Java 8
    MAX_PERM_GEN="-XX:MaxPermSize=256m"
    
    # just use these as specified
    HEADLESS="-Djava.awt.headless=true"
    JAVA_PREFS="-Djava.util.prefs.systemRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs -Djava.util.prefs.userRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs"
    
    CATALINA_OPTS="$NORMAL $CONTENT_ROOT $MAX_PERM_GEN $HEADLESS $JAVA_PREFS"
    export CATALINA_OPTS
    (You can use JAVA_OPTS instead of CATALINA_OPTS, but JAVA_OPTS is used for any Java program, and CATALINA_OPTS is only used by Tomcat.)
  4. Purchase a real certificate from a certificate authority, so users are not confused and question the legitimacy of your web site.
  5. Make the following modifications to ${tomcat_home}/conf/server.xml:
  6. For each user, create a SHA1 password digest using the ${tomcat_home}/bin/digest.sh script or an online service such as http://www.freeformatter.com/message-digest.html
  7. Make the following modifications to ${tomcat_home}/conf/tomcat-users.xml:
  8. Make the following modifications to ${tomcat_home}/webapps/manager/WEB-INF/web.xml:
    1. Make sure the manager is only available via SSL by adding a user-data-constraint with a transport-guarantee of CONFIDENTIAL inside the security-constraint element.
    2. DO NOT ENABLE THE MANAGER WITHOUT RESTRICTING TO SSL ACCESS ONLY. (!)
  9. Remove any unused applications from ${tomcat_home}/webapps.
  10. (optional) Build netCDF-C library on your server. Standard install directory is /opt/netcdf.

TDS Install

  1. Download the latest thredds.war file, and put it into ${tomcat_home}/webapps.
  2. Start/restart Tomcat so that it has a chance to create initial files in ${tomcat_home}/content/thredds (optional).
  3. Modify ${tomcat_home}/content/thredds/catalog.xml for your site, as in this example.
  4. Modify  ${tomcat_home}/content/thredds/threddsConfig.xml for your site in the following manner:
  5. If needed, limit access to the TDS and create a robots.txt file in ${tomcat_home}/webapps/ROOT/ to restrict crawler activity.

 


Maintenance and Upgrades

Maintenance

Be sure to periodically check to make sure you are running the latest versions of Java, Tomcat and the TDS.

Upgrading the TDS

When installing a new thredds.war, everything in ${tomcat_home}/webapps/ is overwritten. However, nothing in ${tomcat_home}/content/ is overwritten.

Use one of the following methods to deploying a new version of the TDS